• No results found

Investigate malware behavior on android platform

N/A
N/A
Protected

Academic year: 2019

Share "Investigate malware behavior on android platform"

Copied!
24
0
0

Loading.... (view fulltext now)

Full text

(1)

1

INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM

LOH KE LIH

FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY UNIVERSITI TEKNIKAL MALAYSIA MELAKA

2014

(2)

2

JUDUL: INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM

SESI PENGAJIAN: SESI 2013/2014

Saya LOH KE LIH mengaku membenarkan tesis (PSM/Sarjana/Doktor Falsafah) ini disimpan di Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dengan syarat-syarat kegunaan seperti berikut:

1. Tesis dan projek adalah hakmilik Universiti Teknikal Malaysia Melaka.

2. Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dibenarkan membuat salinan untuk tujuan pengajian sahaja.

3. Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dibenarkan membuat salinan tesis ini sebagai bahan pertukaran antara institusi pengajian tinggi.

4. ** Sila tandakan (/)

_____________ SULIT (Mengandungi maklumat yang berdarjah keselamatan atau kepentingan Malaysia seperti yang termaktub di dalam AKTA RAHSIA RASMI

1972)

_____________ TERHAD (Mengandungi maklumat TERHAD yang telah ditentukan oleh organisasi/badan di mana penyelidikan dijalankan)

_____/_______ TIDAK TERHAD

__________________________

___________________________

(TANDATANGAN PENULIS) (TANDATANGAN PENYELIA)

Alamat tetap : 18, Jalan Khalidi, Nama Penyelia : En. Zulkiflee

84000 Muar, Muslim

Johor, Malaysia

(3)

3

INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM

LOH KE LIH

This report is submitted in partial fulfillment of the requirement for the Bachelor of Computer Science (Computer Networking)

FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY UNIVERSITI TEKNIKAL MALAYSIA MELAKA

(4)

4

DECLARATION

I hereby declare this project report entitled

INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM

is written by me and is my own effort and that no part has been plagiarized without citations.

STUDENT :_____________________________ Date:_____________ (LOH KE LIH)

(5)

5

DEDICATION

(6)

6

ACKNOWLEDGEMENTS

I would like to show my gratitude and appreciation to my supervisor, En Zulkiflee bin Muslim for all the ideas and advices in guiding me throughout the project.

I would also like to thank my family members especially my parents because they have given me the greatest support in all sorts of materials throughout my years of studying in this university.

Last but not least, I would like to thanks to all my friends and course mates for their kindness in sharing knowledge and resources.

(7)

7 ABSTRACT

(8)

8 ABSTRAK

(9)

9

TABLE OF CONTENTS

DECLARATION i

DEDICATION ii

ACKNOWLEDGEMENTS iii

ABSTRACT iv

ABSTRAK v

TABLE OF CONTENTS vi

LIST OF TABLES x

LIST OF FIGURES xi

LIST OF ABBREVIATIONS xiii

LIST OF ATTACHMENTS xiv

INTRODUCTION 1

1.1 Introduction 1

1.2 Project Background 2

1.3 Problem Statement 3

1.4 Objective 4

1.5 Scope 5

1.6 Project Contribution 5

1.7 Report Organization 6

1.8 Summary 7

LITERATURE REVIEW 8

2.1 Introduction 8

2.2 Android 9

(10)

10

2.2.2 Android Architecture 9

2.3 Malware 11

2.3.1 Malware Definition and Category 11

2.3.1.1 Trojan Definition and Classification 13

2.3.2 Android Malware 14

2.3.2.1 BaseBridge 16

2.3.2.2 BaseBridge Characteristics and Behaviour 16

2.4 Malware Detection Technique 17

2.4.1 Anomaly-based Detection 18

2.4.1.1 Dynamic Anomaly-based Detection 18

2.4.1.2 Static Anomaly-based Detection 19

2.4.1.3 Hyrid Anomaly-based Detection 19

2.4.2 Specification-based Detection 19

2.4.2.1 Dynamic Specification-based Detection 20

2.4.2.2 Static Specification-based Detection 20

2.4.2.3 Hyrid Specification-based Detection 20

2.4.3 Signature-based Detection 20

2.4.3.1 Dynamic Signature-based Detection 21

2.4.3.2 Static Signature-based Detection 21

2.4.3.3 Hyrid Signature-based Detection 21

2.5 Parameter 22

2.5.1 Network Traffic 22

2.6 Santoku Linux 23

2.7 Summary 24

METHODOLOGY 25

3.1 Introduction 25

3.2 Project Methodology 25

3.3 Phase I: Requirement Analysis 26

3.4 Phase II: Design 26

3.5 Phase III: Implementation 27

3.6 Phase IV: Testing 28

(11)

11

3.8 Project Schedule and Milestones 28

3.9 Summary 31

ANALYSIS & DESIGN 32

4.1 Introduction 32

4.2 Problem Analysis 33

4.3 Requirements Analysis 33

4.3.1 Data Requirements 33

4.3.2 Software Requirements 33

4.3.3 Hardware Requirements 34

4.4 BaseBridge Analysis Approach 35

4.4.1 Network Design 35

4.4.2 Environment Setup 37

4.4.3 Install Malware and Capture Network Traffic 38

4.4.4 Analyse Collected Data 38

4.4 Summary 39

IMPLEMENTATION & TESTING 40

5.1 Introduction 40

5.2 Software Development Environment Setup 41

5.3 Activate Malware, Collect Network Traffic 41

5.3.1 Process Collect Network Traffic Data 41

5.3.2 Network Traffic Collected Data 43

5.4 Test Plan 45

5.4.1 Test Organization 45

5.4.2 Test Environment 45

5.4.3 Test Schedule 46

5.4.4 Test Strategy 47

5.4.4.1 Unit Testing 47

5.4.4.2 Integrate Testing 47

5.4.5 Test Design 47

5.4.5.1 Sample APK Set 47

5.5 Test Result & Analysis 48

(12)

12

5.5.2 Network Traffic Graph 49

5.5.2.1 Ideal Graph 50

5.5.2.2 Graph of Number of Packets 51

5.5.2.3 Graph Protocol 52

5.5.2.4 Graph Destination IP Address 53

5.6 Result Analysis 54

5.7 Summary 55

CONCLUSION 56

6.1 Introduction 56

6.2 Project Summarization 56

6.3 Project Contribution 57

6.4 Project Limitation 57

6.5 Future Project 57

6.6 Summary 58

REFERENCES 59

(13)

13

LIST OF TABLES

TABLE TITLE PAGE

Table 1.1 Summary of Problem Statement 3

Table 1.2 Summary of Research Question 3

Table 1.3 Summaries of Research Objectives 4

Table 1.4 Summary of Project Contributions 5

Table 2.1 Definitions for Malware Category 12

Table 2.2 Definitions for Trojan Classification 13

Table 2.3 Percentage of Mobile Malware Detected in Different Platform 15

Table 3.1: Milestones 28

Table 4.1: The details of hardware requirement 34

Table 5.1 Software Requirements 45

Table 5.2 Hardware Requirements 46

Table 5.3 Testing Schedule 46

Table 5.4 Sample APK File Summarization 48

Table 5.5 Network Traffic Attribute SA1 49

(14)

14

LIST OF FIGURES

FIGURE TITLE PAGE

Figure 2.1 Literature Review Phase 8

Figure 2.2 Android Architecture Structural Diagram 10

Figure 2.3 Malware Categories 11

Figure 2.4 Trojan Classifications 13

Figure 2.5 Type of threats on Android devices 15

Figure 2.6 The Most Frequently Detected Malicious Programs Targeting Android 16 Figure 2.7 The Websites that will access by Android/BaseBridge 17

Figure 2.8 Android Malware Detection Techniques 18

Figure 2.9 IP Header Versions 4 22

Figure 2.10 Santoku Linux Tools 23

Figure 3.1 Project Methodology 26

Figure 4.1 Analysis Approach 35

Figure 4.2 Physical Designs 36

Figure 4.3 Logical Designs 37

Figure 5.1 Steps on Environment Setup 41

Figure 5.2 Process of Collecting Network Traffic 42

Figure 5.3 Collected Network Traffic 43

Figure 5.4 Content of Network Traffic 44

Figure 5.5 Website that visited by BaseBridge 44

Figure 5.6 Ideal Network Traffic Pattern 50

Figure 5.7 Frequency of Packets Number 50

Figure 5.8 Graph of Number of Packets Sample APK 1 51

Figure 5.9 Frequency of Number Packets Sample APK 1 51

(15)

15

Figure 5.11 Frequency of Protocol 53

(16)

16

LIST OF ABBREVIATIONS

ALPHABET WORDS EXPLANATION

A APK Android Application Package File

ARP Address Resolution Protocol

H HTTP Hypertext Transfer Protocol

T TCP Transmission Control Protocol

U UDP User Datagram Protocol

(17)

17

LIST OF ATTACHMENTS

ATTACHMENT TITLE PAGE

A Gantt Chart 64

B Network Traffic Attributes

B.1 Network Traffic Attributes SA2 65 B.2 Network Traffic Attributes SA3 66

C Network Traffic Graph

C.1 Graph of Number of Packet Sample 67 APK 2

C.2 Frequency of Number Packets Sample 67 APK 2

C.3 Graph of Number of Packet Sample 68 APK 3

C.4 Frequency of Number Packets Sample 68 APK 3

C.5 Graph Protocol for SA 2 69

C.6 Graph Frequency of Protocol SA 2 69

C.5 Graph Protocol for SA 3 70

C.6 Graph Frequency of Protocol SA 3 70 C.9 Number of Packet to Destination Port 71 for SA2

(18)

18 CHAPTER I

INTRODUCTION

1.1 Introduction

Nowadays, the mobile platforms and applications are increasing in popularity. However, the popular platform such as Android has greatly stimulated the spread of mobile malware. In order to identify the problem that cause mobile malware spread rapidly, we will discuss about the background of the project which is Android and malware. The research problem will be formulated into three research questions. Based on the research questions, the current problem that faced by the Android user will be clearly shown. After that, the research objective can be generated and all works done in this project will be based on the research objective.

(19)

19

1.2 Project Background

In recent year, the using of smart phone is increasing. There are several of operating system used in smart phone such as Android, IOS, Window, Blackberry and Symbian. Android is the most popular platform used in smart phone which is 79.0% compare to Apple IOS (14.2%), Windows Phone (3.3%), Blackberry (2.7%) and other (0.9%) (mobiThinking, 2014). Android is the largest installed platform and growing fast which placed first among others smart phone operating systems (Micheal Oleaga, 2014, Guru, 2014).

As more and more smart phones come out, the amount of people accessing the Internet greatly increases. So, there is a rapid increase in the amount of malware targeting Android smart phones since it is the most popular operating system used in smart phone. 99% of mobile malware targeted Android devices last year (Brad Reed, 2014).

Malware, short for malicious software, is software used to damage or control the computer operation, gather with sensitive information, or gain access to private computer systems. It can be emerged as a collection of code, script, active content and embedded in other application (McMahon, 2013). Therefore, a script can be generating in order to detect the android malware that found in the smart phones.

Examples of android malware such as DroidKungFu, BeanBot, BaseBridge are the major threats to the security of the android mobile. However, there are some malware will re-implementing some of their malicious functionalities in native code. The changes are possibly to make their detection and analysis harder. (Yajin Zhou, 2012). So, the parameter will be analyzing to know the attack pattern of the malware.

(20)

20

Therefore, dynamic analysis will be using in this project to analyse the android malware. It will focuses on the behaviour of attack, determine how and what it gets installed, how it run, what files have been added or modified, who they are communicate to, etc (Dennis Distler, 2007). So, the parameter such as system call and network traffic will be investigate in this project.

1.3 Problem Statement

Nowadays, malicious code is reportedly infecting Android devices at a rapid speed. Therefore, Android phone users are advised to take extra precautions on this situation. However, the malware characteristics cause difficulty for users to identify and detect their behaviours. The Research Problem (PR) is summarized into Table 1.1.

Table 1.1 Summary of Problem Statement

No Research Problem

RP1 Difficult to detect the appearance of android malware inside the smart phone because most of the anti-virus software is low accuracy.

[image:20.595.111.529.555.678.2]

Thus, Research Questions (RQ) which depicted in Table 1.2 is constructed to identify the research problem as discussed in previous section.

Table 1.2 Summary of Research Question

No Research Question

RQ1 What is the behaviour of different android malware? RQ2 What is the parameter used to detect the android malware's

behaviour?

RQ3 How to detect the android malware using parameter?

RQ1: What is the behaviour of different android malware?

(21)

21

RQ2: What is the parameter used to detect the android malware's behaviour?

This research question is formulated by considering the android malware’s behaviour issue because there are many different type of malware and that may infect to different parameter. Thus, it is important to identifying which parameter is suitable to use for study the malware’s behaviour.

RQ3: How to detect the android malware using parameter?

This research question is formulated by considering the way to extract the behavior of the android malware using parameter and generate the attack pattern dynamically.

1.4 Objective

[image:21.595.105.530.433.552.2]

Based on the research questions formulated in previous section, appropriate research objectives (RO) are developed as follows:

Table 1.3 Summaries of Research Objectives

RP RQ RO Research Objective

RP1 RQ1 RO1 To classify the android malware's behaviour.

RQ2 RO2 To identify the parameter used to detect the android malware's behaviour.

RQ3 RO3 To detect the android malware using parameter.

RO1: To classify the android malware's behaviour.

Firstly, we need to classify the type of android malware and the behaviour of android malware in order to find out the feature of malware. Different type of malware may have different type of behaviour.

RO2: To identify the parameter used to detect the android malware's behaviour.

(22)

22

RO3: To detect the android malware using parameter.

After identify the parameter, we need to develop a script to detect the android malware automatically using its parameter.

1.5 Scope

Scope of project is going to be conducted as follows:

1. Using only one specific type of android malware.

2. Focusing on behaviour of android malware in order to generate the attack patterns of android malware by using network traffic.

3. Tcpdump and Wireshark will be used in this project to sniff the network.

1.6 Project Contribution

[image:22.595.104.530.519.609.2]

The contribution of this project are summarized in Table 1.4

Table 1.4 Summary of project contributions

RP RQ RO RC Research Contribution

RP1 RQ1 RO1 RC1 The classification of android malware's behaviour. RQ2 RO2 RC2 The parameter of android malware's behaviour. RQ3 RO3 RC3 Detecting the malware’s attack pattern using parameter.

(23)

23

1.7 Report Organization

Chapter 1: Introduction

This chapter will discuss about the introduction, project background, problem statement, research question, research objective, project scope, project contribution and report organization.

Chapter 2: Literature Review

This chapter will study about the related works such as android, malware, malware attack pattern, malware analysis technique, parameter and operating system used. The related works will be contribute to the next chapter.

Chapter 3: Methodology

This chapter will explain the method used to analyse android malware and project methodology. Project schedule and milestones will discuss in this chapter to finish the project in time.

Chapter 4: Analysis and Design

This chapter will introduce the problem analysis, requirements of software and hardware. The experimental design such as logical design and physical design will also conduct in this chapter. Environment will setup based on the requirements.

Chapter 5: Implementation and Testing

This chapter will describe the method to implement and test the collected data in order to carry out the graph to support the evidence. The test result and analysis will conclude in this chapter.

Chapter 6: Conclusion

(24)

24

1.8 Summary

Figure

Table 1.2 Summary of Research Question
Table 1.3 Summaries of Research Objectives
Table 1.4 Summary of project contributions

References

Related documents

The BC model does a better job pricing indices (percentage mispricing around 30%) than individual stocks (mispricing around 70%), presumably because indices tend to have lower

The study showed that fixed assets, set up and current asset financing have positive relation with the growth of SMEs and Islamic modes of financing was not behaved as moderator

The north-south allgnment of the Sumatra coastline suggest a fault zone on the west flank of the Sunda basin adjacent to the Lampung high.. A similar basement

In this chapter, we saw how Parsons was not travelling in the area imagined by the Scottish Enlightenment thinkers as nomadic, barbarian, rude and beyond the civilising stage

The purpose of this report was to explore the relationship between the remuneration of the executive directors of listed companies in South Africa and company performance

Originally designed for Scheme, Kawa’s IR has been generalized to support basic generic features that are common in many very high level languages.. In addition, Kawa has

The normative analysis shows that a firm’s optimal targeting strategies, both of- fensive and defensive, depend on its actual market share, the relevant redemption rate of its

− Many large business customers have small sites that ERM Power can now supply. − Many brokers who bring large customers to ERM Power also represent